Deprecation Notes¶

• Deprecated thegenerate_iv option name. It has been renamed toaes_gcm_generate_iv to reflect the fact that it only applies to theCKM_AES_GCM mechanism.

Bug Fixes¶

• Fixed Story #2004734: Added a new optionalways_set_cka_sensitive tofix a regression that affected Safenet HSMs. The option defaults toTrueas required by Safenet HSMs. Other HSMs may require it be set toFalse.

New Features¶

• Added new options to the PKCS#11 Cryptographic Plugin configuration toenable the use of different encryption and hmac mechanisms.Added support forCKM_AES_CBC encryption in the PKCS#11 CryptographicPlugin.

• Remap theorder:put toorders:put to align with language in the orderscontroller.

Upgrade Notes¶

• (For deployments overriding default policies) After upgrading, please reviewBarbican policy files and ensure that you port any rules tied toorder:putare remapped toorders:put.

Deprecation Notes¶

• Deprecated thep11_crypto_plugin:algoritm option. Users should updatetheir configuration to usep11_crypto_plugin:encryption_mechanisminstead.

Bug Fixes¶

• By default barbican checks only the algorithm and the bit_length whencreating a new secret. The xts-mode cuts the key in half for aes, so forusing aes-256 with xts, you have to use a 512 bit key, but barbican allowsonly a maximum of 256 bit. A check for the mode within the_is_algorithm_supported method of the class SimpleCryptoPlugin was addedto allow 512 bit keys for aes-xts in this plugin.

• Fixed the response code for invalid subroutes for individual secrets. TheAPI was previously responding with the incorrect code “406 - Method notallowed”, but now responds correctly with “404 - Not Found”.

Other Notes¶

• default value of ‘control_exchange’ in ‘barbican.conf’ has been changed to ‘keystone’.